Skip to content
Snippets Groups Projects

redhat: Build IMA CA certificate into the Fedora kernel

Merged redhat: Build IMA CA certificate into the Fedora kernel
coxu/kernel-ark:ima_keys into os-build
Merged Coiby Xu requested to merge coxu/kernel-ark:ima_keys into os-build

Since Fedora 37, package files have been signed with IMA signatures [1]. This patch builds the Fedora IMA CA certificate fedoraimaca.x509[2] into the .builtin_trusted_keys keyring. With a proper IMA policy applied, the kernel can provide system-wide integrity protection. With Secure Boot enabled, the trust can be extended to the user space.

Note the Fedora IMA code signing certs are inside /etc/keys/ima after installing fedora-gpg-keys.

[1] https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents [2] https://src.fedoraproject.org/rpms/fedora-repos/blob/rawhide/f/fedora-ima-ca.der

Signed-off-by: Coiby Xu coxu@redhat.com

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply